[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] Best Method of Updating Jailed Executables & Libs?
|
From: |
Olivier Sessink |
|
Subject: |
Re: [Jailkit-users] Best Method of Updating Jailed Executables & Libs? |
|
Date: |
Thu, 12 Oct 2006 08:47:53 +0200 |
|
User-agent: |
Thunderbird 1.5.0.5 (X11/20060812) |
Calvin Cannon wrote:
> Can someone tell me the best-of-practice method of upgrading
> executables & libraries in a jail?
I personally use jk_check to report all binaries that have changed on
the real system, and I then run `jk_cp -vf /myjail /bin/bla /lib/foo
/usr/bin/bar` to upgrade those.
> I have several jails and the number is exected to grow dramatically.
> I thought about hard-linking the files to files in a single directory
> tree so I could just update the files in the tree. However, that
> would not take care of soft links, etc. within each jail.
hard links would work if all your chroot jails are on the same
filesystem. But you have to make sure that if you upgrade a binary that
it doesn't delete the original file and then writes a new one, because
then the hard links from the other locations don't point to that data
anymore. Soft links usually don't change with security upgrades, so I
don't think that would matter much.
Perhaps a new utility could be added to jailkit to upgrade jails based
on the changes on the real system, but how to prevent that utility from
overwriting a config file in the jail that is meant to be different from
the configfile on the real system?
regards,
Olivier